Compile a list of the file transfer connections to be secured, including both the originating and end-point servers, and the applications or scripts performing the file transfers.

The example environment contains the Management Server, the originating file transfer Unix servers, and the file transfer end-point Unix servers. Scripts on the originating servers perform FTP transfers to the end-point servers, using the built-in FTP clients and servers of the Unix operating systems.

The Management Agent has been deployed to all target hosts as described in Step 2 in Secure System Administration. SSH Tectia Client has been deployed to the originating hosts and SSH Tectia Server to the end-point hosts, as described in Step 3 in Secure System Administration. The file transfer administration staff has been trained in the implications of securing file transfer traffic, and deploying and operating the SSH Tectia client/server solution.

Ensure that traffic to TCP/IP port 22 (or other port selected for ssh traffic) is allowed through firewalls within the target environment.

In SSH Tectia Manager, create the FTP filter rules for SSH Tectia ConnectSecure where you select which file transfers from the originating hosts will be secured (can be done per file transfer application or per destination host, for instance). For more details on defining the file transfer rules, see SSH Tectia ConnectSecure Administrator Manual and SSH Tectia Manager Administrator Manual.

To enable the connection capture component locally on the originating Unix server, you can use the default server configuration, but we recommend that you review the need for further access and service control settings.

Deploy the configurations to the managed hosts.

The created FTP-SFTP conversion rules are dynamically allocated to each originating host, according to the source host groups that have been defined in the capture rules. The tunneling rules are combined into the SSH Tectia ConnectSecure configuration file when the deployment process is initiated, and the rules are deployed to the target host the same way as the SSH Tectia Client/Server configuration is deployed.

Once the new configurations are deployed, the SSH Tectia ConnectSecure software transparently captures the FTP traffic on the originating servers, converts it to SFTP, and forwards it to the SSH Tectia Server software on the end-point servers.

All return codes from the SFTP server are converted back to FTP return codes and passed back to the original FTP software. The username and password used for the original FTP transfers are captured and used in the SFTP traffic. Connections other than those defined in the FTP/SFTP capture rules are not affected, and they are transmitted as plaintext. The SFTP file transfers are logged on the SSH Tectia Servers. SSH Tectia Server status monitoring and log gathering are described in Step 11 in Secure System Administration.

For information on how to configure stronger authentication methods, such as public keys or PKI, see the Administrator Manuals for SSH Tectia Client, ConnectSecure, and Server.

Test the file transfer traffic to ensure connectivity.

If you want to prevent all unsecured connectivity to the end-point servers, FTP server software on the servers can be disabled and firewalls can be configured to block access to the unsecured ports.